#23 Work In Progress

fireflycons · Jan 11, 2020 · 1660cee · 1660cee
1 parent c01bc7a
commit 1660cee
Show file tree

Hide file tree

Showing 6 changed files with 146 additions and 42 deletions.
diff --git a/aws-toolbox/Private/IAM/Get-CredentialProcess.ps1 b/aws-toolbox/Private/IAM/Get-CredentialProcess.ps1
@@ -32,7 +32,7 @@ function Get-CredentialProcess
         $sb.Append($process.PowerShell) | Out-Null
     }
 
-    $sb.Append(" -Command `"Import-Module $($process.Module); Set-AwsCredentail {0}; Get-ATIAMSessionCredentials -AwsCli`"") | Out-Null
+    $sb.Append(" -Command `"Import-Module $($process.Module); Set-AwsCredential {0}; Get-ATIAMSessionCredentials -AwsCli`"") | Out-Null
 
     $process['CredentialProcess'] = $sb.ToString()
 

diff --git a/aws-toolbox/Private/Utils/Read-CliConfigurationFile.ps1 b/aws-toolbox/Private/Utils/Read-CliConfigurationFile.ps1
@@ -6,16 +6,18 @@ Function Read-CliConfigurationFile
         [switch]$Config,
 
         [Parameter(Mandatory, ParameterSetName = 'credentials')]
-        [switch]$Credentials,
-
-        [string]$AlternateDirectory
+        [switch]$Credentials
     )
 
     $FilePath = $(
 
-        if (-not [string]::IsNullOrEmpty($AlternateDirectory))
+        if ($Config -and $null -ne $env:AWS_CONFIG_FILE)
+        {
+            $env:AWS_CONFIG_FILE
+        }
+        elseif ($Credentials -and $null -ne $env:AWS_SHARED_CREDENTIALS_FILE)
         {
-            Join-Path $AlternateDirectory $PSCmdlet.ParameterSetName
+            $env:AWS_SHARED_CREDENTIALS_FILE
         }
         else
         {

diff --git a/aws-toolbox/Private/Utils/Write-CliConfigurationFile.ps1 b/aws-toolbox/Private/Utils/Write-CliConfigurationFile.ps1
@@ -10,18 +10,21 @@ Function Write-CliConfigurationFile
 
         [ValidateNotNullOrEmpty()]
         [Parameter(ValueFromPipeline = $True, Mandatory = $True)]
-        [Hashtable]$InputObject,
-
-        [string]$AlternateDirectory
+        [Hashtable]$InputObject
     )
 
     Begin
     {
         $Encoding = 'ASCII'
         $FilePath = $(
-            if (-not [string]::IsNullOrEmpty($AlternateDirectory))
+
+            if ($Config -and $null -ne $env:AWS_CONFIG_FILE)
+            {
+                $env:AWS_CONFIG_FILE
+            }
+            elseif ($Credentials -and $null -ne $env:AWS_SHARED_CREDENTIALS_FILE)
             {
-                Join-Path $AlternateDirectory $PSCmdlet.ParameterSetName
+                $env:AWS_SHARED_CREDENTIALS_FILE
             }
             else
             {
@@ -65,7 +68,7 @@ Function Write-CliConfigurationFile
                     }
                     else
                     {
-                        Add-Content -Path $outFile -Value "$j=$($InputObject[$i][$j])" -Encoding $Encoding
+                        Add-Content -Path $outFile -Value "$j = $($InputObject[$i][$j])" -Encoding $Encoding
                     }
 
                 }

diff --git a/aws-toolbox/Public/IAM/Set-ATIAMCliExternalCredentials.ps1 b/aws-toolbox/Public/IAM/Set-ATIAMCliExternalCredentials.ps1
@@ -0,0 +1,70 @@
+function Set-ATIAMCliExternalCredentials
+{
+<#
+    .SYNOPSIS
+        Configue aws-toolbox as an AWS CLI Credential Process
+
+    .DESCRIPTION
+        This cmdlet maps a PowerShell stored profile into the AWS CLI credential file
+        as a provider of external credentials. This is useful to get AWS CLI to use a
+        saved SAML profile when e.g. you use Active Directory integration to authenticate
+        with AWS
+
+    .PARAMETER ProfileName
+        Name of PowerShell stored profile to use.
+
+    .PARAMETER CliProfileName
+        Name of profile to create in CLI credentials file. If omitted, then the name
+        passed to ProfileName will be used.
+#>
+    [CmdletBinding()]
+    param
+    (
+        [string]$CliProfileName
+    )
+
+    DynamicParam
+    {
+        $validateSet = Get-AWSCredential -ListProfileDetail | Select-Object -ExpandProperty ProfileName | Sort-Object -Unique
+        New-DynamicParam -Name ProfileName -Mandatory -ValidateSet $validateSet -HelpMessage 'Name of PowerShell stored profile to use'
+    }
+
+    begin
+    {
+        foreach ($p in $PSBoundParameters.Keys)
+        {
+            if (-not (Get-Variable -Name $p -Scope Local -ErrorAction SilentlyContinue))
+            {
+                Set-Variable -Name $p -Value $PSBoundParameters[$p] -Scope Local
+            }
+        }
+        if ($null -eq $ProfileName)
+        {
+            throw "Profile Name not set"
+        }
+    }
+
+    process
+    {}
+
+    end
+    {
+        if ([string]::IsNullOrEmpty($CliProfileName))
+        {
+            $CliProfileName = $ProfileName
+        }
+
+        $creds = Read-CliConfigurationFile -Credentials
+
+        if ($creds.ContainsKey($CliProfileName))
+        {
+            $creds.Remove($CliProfileName)
+        }
+
+        $creds[$CliProfileName] = @{
+            credential_process = (Get-CredentialProcess).CredentialProcess -f $ProfileName
+        }
+
+        $creds | Write-CliConfigurationFile -Credentials
+    }
+}
diff --git a/aws-toolbox/aws-toolbox.psd1 b/aws-toolbox/aws-toolbox.psd1
@@ -53,6 +53,7 @@
         'Set-ATConfigurationItem'
         'Invoke-ATDiffTool'
         'Get-ATEC2SecurityGroupDependencies'
+        'Set-ATIAMCliExternalCredentials'
         )
 
     # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.

diff --git a/tests/aws-toolbox.Private.Tests.ps1 b/tests/aws-toolbox.Private.Tests.ps1
@@ -296,6 +296,9 @@ InModuleScope $ModuleName {
 
     Describe 'AWS CLI Configuration Files' {
 
+        $savedConfig = $env:AWS_CONFIG_FILE
+        $savedCredentials = $env:AWS_SHARED_CREDENTIALS_FILE
+
         Context 'Read existing configuation' {
 
             $config = Read-CliConfigurationFile -Config
@@ -353,22 +356,34 @@ InModuleScope $ModuleName {
 
             if ($config.ContainsKey('default'))
             {
-                $sectionData = $config['default']
+                $script:sectionData = $config['default']
 
                 It 'Has an access key in [default] section' {
 
-                    $sectionData.ContainsKey('aws_access_key_id') | Should -BeTrue
+                    $script:sectionData.ContainsKey('aws_access_key_id') | Should -BeTrue
                 }
 
                 It 'Has an secret key in [default] section' {
 
-                    $sectionData.ContainsKey('aws_secret_access_key') | Should -BeTrue
+                    $script:sectionData.ContainsKey('aws_secret_access_key') | Should -BeTrue
                 }
             }
         }
 
         Context 'Writing the config file' {
 
+            $script:storedData = $null
+
+            BeforeEach {
+
+                $env:AWS_CONFIG_FILE = Join-Path $TestDrive 'config'
+            }
+
+            AfterEach {
+
+                $env:AWS_CONFIG_FILE = $savedConfig
+            }
+
             $initialData = @{
                 default = @{
                     region = 'eu-west-1'
@@ -380,53 +395,66 @@ InModuleScope $ModuleName {
 
             It 'Creates initial config' {
 
-                $initialData | Write-CliConfigurationFile -Config -AlternateDirectory $TestDrive
+                $initialData | Write-CliConfigurationFile -Config
                 $configFile | Should -Exist
                 $fileSize = (Get-Item $configFile).Length
             }
 
             It 'Updates config file' {
 
                 $initialData['default'].Add('output', 'json')
-                $initialData | Write-CliConfigurationFile -Config -AlternateDirectory $TestDrive
+                $initialData | Write-CliConfigurationFile -Config
                 $configFile | Should -Exist
                 $newFileSize = (Get-Item $configFile).Length
 
                 $newFileSize | Should -BeGreaterThan $fileSize -Because "the file should have been appended."
             }
 
-            $storedData = Read-CliConfigurationFile -Config -AlternateDirectory $TestDrive
 
             It 'Reads the config file created above' {
 
-                ($storedData.Keys | Measure-Object).Count | Should -BeExactly 1
+                $script:storedData = Read-CliConfigurationFile -Config
+                ($script:storedData.Keys | Measure-Object).Count | Should -BeExactly 1
             }
 
             It 'Has a [default] section' {
 
-                $storedData.ContainsKey('default') | Should -BeTrue
+                $script:storedData.ContainsKey('default') | Should -BeTrue
             }
 
-            if ($storedData.ContainsKey('default'))
+            if ($script:storedData.ContainsKey('default'))
             {
-                $sectionData = $storedData['default']
+                $script:sectionData = $script:storedData['default']
 
                 It 'Should have stored correct default region' {
 
-                    $sectionData.ContainsKey('region') | Should -BeTrue
-                    $sectionData['region'] | Should -Be 'eu-west-1'
+                    $script:sectionData.ContainsKey('region') | Should -BeTrue
+                    $script:sectionData['region'] | Should -Be 'eu-west-1'
                 }
 
                 It 'Should have stored correct output format' {
 
-                    $sectionData.ContainsKey('output') | Should -BeTrue
-                    $sectionData['output'] | Should -Be 'json'
+                    $script:sectionData.ContainsKey('output') | Should -BeTrue
+                    $script:sectionData['output'] | Should -Be 'json'
                 }
             }
         }
 
         Context 'Writing the credential file' {
 
+            $script:storedData = $null
+
+            BeforeEach {
+
+                $env:AWS_SHARED_CREDENTIALS_FILE = Join-Path $TestDrive 'credentials'
+            }
+
+            AfterEach {
+
+                $env:AWS_SHARED_CREDENTIALS_FILE = $savedCredentials
+            }
+
+
             $accessKey = 'AKIAITL6SYXXQEXAMPLE'
             $secretKey = '+pdwYIYvKVpW1//FokBjqFXxOnzbmyEXAMPLE'
             $initialData = @{
@@ -440,36 +468,36 @@ InModuleScope $ModuleName {
 
             It 'Creates initial credentials' {
 
-                $initialData | Write-CliConfigurationFile -Credentials -AlternateDirectory $TestDrive
+                $initialData | Write-CliConfigurationFile -Credentials
                 $credentialFile | Should -Exist
             }
 
-            $storedData = Read-CliConfigurationFile -Credentials -AlternateDirectory $TestDrive
 
             It 'Reads the credentials file created above' {
 
-                ($storedData.Keys | Measure-Object).Count | Should -BeExactly 1
+                $script:storedData = Read-CliConfigurationFile -Credentials
+                ($script:storedData.Keys | Measure-Object).Count | Should -BeExactly 1
             }
 
             It 'Has a [mycreds] section' {
 
-                $storedData.ContainsKey('mycreds') | Should -BeTrue
+                $script:storedData.ContainsKey('mycreds') | Should -BeTrue
             }
 
-            if ($storedData.ContainsKey('mycreds'))
+            if ($script:storedData.ContainsKey('mycreds'))
             {
-                $sectionData = $storedData['mycreds']
+                $script:sectionData = $script:storedData['mycreds']
 
                 It 'Should have stored correct access key' {
 
-                    $sectionData.ContainsKey('aws_access_key_id') | Should -BeTrue
-                    $sectionData['aws_access_key_id'] | Should -Be $accessKey
+                    $script:sectionData.ContainsKey('aws_access_key_id') | Should -BeTrue
+                    $script:sectionData['aws_access_key_id'] | Should -Be $accessKey
                 }
 
                 It 'Should have stored correct secret key' {
 
-                    $sectionData.ContainsKey('aws_secret_access_key') | Should -BeTrue
-                    $sectionData['aws_secret_access_key'] | Should -Be $secretKey
+                    $script:sectionData.ContainsKey('aws_secret_access_key') | Should -BeTrue
+                    $script:sectionData['aws_secret_access_key'] | Should -Be $secretKey
                 }
 
                 $accessKey = 'AKIAITXXXXXXQEXAMPLE'
@@ -478,22 +506,22 @@ InModuleScope $ModuleName {
 
                 It 'Updates credentials file with new access key' {
 
-                    $initialData | Write-CliConfigurationFile -Credentials -AlternateDirectory $TestDrive
+                    $initialData | Write-CliConfigurationFile -Credentials
                     $credentialFile | Should -Exist
                 }
 
-                $sectionData = (Read-CliConfigurationFile -Credentials -AlternateDirectory $TestDrive)['mycreds']
 
                 It 'Has stored updated access key' {
 
-                    $sectionData.ContainsKey('aws_secret_access_key') | Should -BeTrue
-                    $sectionData['aws_secret_access_key'] | Should -Be $secretKey
+                    $script:sectionData = (Read-CliConfigurationFile -Credentials)['mycreds']
+                    $script:sectionData.ContainsKey('aws_secret_access_key') | Should -BeTrue
+                    $script:sectionData['aws_secret_access_key'] | Should -Be $secretKey
                 }
 
                 It 'Has not changed the secret key' {
 
-                    $sectionData.ContainsKey('aws_secret_access_key') | Should -BeTrue
-                    $sectionData['aws_secret_access_key'] | Should -Be $secretKey
+                    $script:sectionData.ContainsKey('aws_secret_access_key') | Should -BeTrue
+                    $script:sectionData['aws_secret_access_key'] | Should -Be $secretKey
                 }
             }
         }